Update node to 18 and fixed some security issues (#1298)

2024-01-17 07:21:16 +08:00 · 2024-01-17 07:21:16 +08:00 · 6a8ef4641b
--- a/.azure-pipelines/daily-build.yml
+++ b/.azure-pipelines/daily-build.yml
@ -16,9 +16,9 @@ pool:

 steps:
 - task: NodeTool@0
-  displayName: 'Use Node 14.15.5'
+  displayName: 'Use Node 18'
  inputs:
-    versionSpec: 14.15.5
+    versionSpec: 18.x

 - task: Npm@1
  displayName: 'Install autorest@latest'
@ -32,7 +32,7 @@ steps:
  inputs:
    command: custom
    verbose: false
-    customCommand: 'install -g @microsoft/rush@5.12.0'
+    customCommand: 'install -g @microsoft/rush@5.63.1'

 - task: CmdLine@2
  displayName: 'Rush sync-versions'
--- a/.azure-pipelines/test-sdk.yml
+++ b/.azure-pipelines/test-sdk.yml
@ -2,9 +2,9 @@ pool: pool-windows-2019

 steps:
 - task: NodeTool@0
-  displayName: 'Use Node 14.15.5'
+  displayName: 'Use Node 18'
  inputs:
-    versionSpec: 14.15.5
+    versionSpec: 18.x

 - task: Npm@1
  displayName: 'Install autorest@latest'
--- a/.scripts/publish.yaml
+++ b/.scripts/publish.yaml
@ -12,7 +12,7 @@ pool:
 steps:
 - task: NodeTool@0
  inputs:
-    versionSpec: '14.x'
+    versionSpec: '18.x'
  displayName: 'Install Node.js'

 - script: |
--- a/.scripts/verify-pull-request.yaml
+++ b/.scripts/verify-pull-request.yaml
@ -12,7 +12,7 @@ pool:
 steps:
 - task: NodeTool@0
  inputs:
-    versionSpec: '14.x'
+    versionSpec: '18.x'
  displayName: 'Install Node.js'

 - script: |
--- a/common/scripts/install-run-rush-pnpm.js
+++ b/common/scripts/install-run-rush-pnpm.js
@ -19,7 +19,7 @@ var __webpack_exports__ = {};
  \*****************************************************/

 // Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
-// See the @microsoft/rush package's LICENSE file for license information.
+// See LICENSE in the project root for license information.
 require('./install-run-rush');
 //# sourceMappingURL=install-run-rush-pnpm.js.map
 module.exports = __webpack_exports__;
--- a/common/scripts/install-run-rush.js
+++ b/common/scripts/install-run-rush.js
@ -113,7 +113,8 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! fs */ 657147);
 /* harmony import */ var fs__WEBPACK_IMPORTED_MODULE_1___default = /*#__PURE__*/__webpack_require__.n(fs__WEBPACK_IMPORTED_MODULE_1__);
 // Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
-// See the @microsoft/rush package's LICENSE file for license information.
+// See LICENSE in the project root for license information.
+/* eslint-disable no-console */


 const { installAndRun, findRushJsonFolder, RUSH_JSON_FILENAME, runWithErrorAndStatusCode } = require('./install-run');
--- a/common/scripts/install-run-rushx.js
+++ b/common/scripts/install-run-rushx.js
@ -19,7 +19,7 @@ var __webpack_exports__ = {};
  \*************************************************/

 // Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
-// See the @microsoft/rush package's LICENSE file for license information.
+// See LICENSE in the project root for license information.
 require('./install-run-rush');
 //# sourceMappingURL=install-run-rushx.js.map
 module.exports = __webpack_exports__;
--- a/common/scripts/install-run.js
+++ b/common/scripts/install-run.js
@ -21,6 +21,7 @@

 __webpack_require__.r(__webpack_exports__);
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   "isVariableSetInNpmrcFile": () => (/* binding */ isVariableSetInNpmrcFile),
 /* harmony export */   "syncNpmrc": () => (/* binding */ syncNpmrc)
 /* harmony export */ });
 /* harmony import */ var fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! fs */ 657147);
@ -33,22 +34,19 @@ __webpack_require__.r(__webpack_exports__);


 /**
- * As a workaround, copyAndTrimNpmrcFile() copies the .npmrc file to the target folder, and also trims
+ * This function reads the content for given .npmrc file path, and also trims
 * unusable lines from the .npmrc file.
 *
- * Why are we trimming the .npmrc lines?  NPM allows environment variables to be specified in
- * the .npmrc file to provide different authentication tokens for different registry.
- * However, if the environment variable is undefined, it expands to an empty string, which
- * produces a valid-looking mapping with an invalid URL that causes an error.  Instead,
- * we'd prefer to skip that line and continue looking in other places such as the user's
- * home directory.
- *
 * @returns
 * The text of the the .npmrc.
 */
-function _copyAndTrimNpmrcFile(logger, sourceNpmrcPath, targetNpmrcPath) {
-    logger.info(`Transforming ${sourceNpmrcPath}`); // Verbose
-    logger.info(`  --> "${targetNpmrcPath}"`);
+// create a global _combinedNpmrc for cache purpose
+const _combinedNpmrcMap = new Map();
+function _trimNpmrcFile(sourceNpmrcPath) {
+    const combinedNpmrcFromCache = _combinedNpmrcMap.get(sourceNpmrcPath);
+    if (combinedNpmrcFromCache !== undefined) {
+        return combinedNpmrcFromCache;
+    }
    let npmrcFileLines = fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(sourceNpmrcPath).toString().split('\n');
    npmrcFileLines = npmrcFileLines.map((line) => (line || '').trim());
    const resultLines = [];
@ -57,8 +55,13 @@ function _copyAndTrimNpmrcFile(logger, sourceNpmrcPath, targetNpmrcPath) {
    // Comment lines start with "#" or ";"
    const commentRegExp = /^\s*[#;]/;
    // Trim out lines that reference environment variables that aren't defined
-    for (const line of npmrcFileLines) {
+    for (let line of npmrcFileLines) {
        let lineShouldBeTrimmed = false;
+        //remove spaces before or after key and value
+        line = line
+            .split('=')
+            .map((lineToTrim) => lineToTrim.trim())
+            .join('=');
        // Ignore comment lines
        if (!commentRegExp.test(line)) {
            const environmentVariables = line.match(expansionRegExp);
@ -85,6 +88,28 @@ function _copyAndTrimNpmrcFile(logger, sourceNpmrcPath, targetNpmrcPath) {
        }
    }
    const combinedNpmrc = resultLines.join('\n');
+    //save the cache
+    _combinedNpmrcMap.set(sourceNpmrcPath, combinedNpmrc);
+    return combinedNpmrc;
+}
+/**
+ * As a workaround, copyAndTrimNpmrcFile() copies the .npmrc file to the target folder, and also trims
+ * unusable lines from the .npmrc file.
+ *
+ * Why are we trimming the .npmrc lines?  NPM allows environment variables to be specified in
+ * the .npmrc file to provide different authentication tokens for different registry.
+ * However, if the environment variable is undefined, it expands to an empty string, which
+ * produces a valid-looking mapping with an invalid URL that causes an error.  Instead,
+ * we'd prefer to skip that line and continue looking in other places such as the user's
+ * home directory.
+ *
+ * @returns
+ * The text of the the .npmrc with lines containing undefined variables commented out.
+ */
+function _copyAndTrimNpmrcFile(logger, sourceNpmrcPath, targetNpmrcPath) {
+    logger.info(`Transforming ${sourceNpmrcPath}`); // Verbose
+    logger.info(`  --> "${targetNpmrcPath}"`);
+    const combinedNpmrc = _trimNpmrcFile(sourceNpmrcPath);
    fs__WEBPACK_IMPORTED_MODULE_0__.writeFileSync(targetNpmrcPath, combinedNpmrc);
    return combinedNpmrc;
 }
@ -98,7 +123,9 @@ function _copyAndTrimNpmrcFile(logger, sourceNpmrcPath, targetNpmrcPath) {
 * The text of the the synced .npmrc, if one exists. If one does not exist, then undefined is returned.
 */
 function syncNpmrc(sourceNpmrcFolder, targetNpmrcFolder, useNpmrcPublish, logger = {
+    // eslint-disable-next-line no-console
    info: console.log,
+    // eslint-disable-next-line no-console
    error: console.error
 }) {
    const sourceNpmrcPath = path__WEBPACK_IMPORTED_MODULE_1__.join(sourceNpmrcFolder, !useNpmrcPublish ? '.npmrc' : '.npmrc-publish');
@ -117,6 +144,16 @@ function syncNpmrc(sourceNpmrcFolder, targetNpmrcFolder, useNpmrcPublish, logger
        throw new Error(`Error syncing .npmrc file: ${e}`);
    }
 }
+function isVariableSetInNpmrcFile(sourceNpmrcFolder, variableKey) {
+    const sourceNpmrcPath = `${sourceNpmrcFolder}/.npmrc`;
+    //if .npmrc file does not exist, return false directly
+    if (!fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(sourceNpmrcPath)) {
+        return false;
+    }
+    const trimmedNpmrcFile = _trimNpmrcFile(sourceNpmrcPath);
+    const variableKeyRegExp = new RegExp(`^${variableKey}=`, 'm');
+    return trimmedNpmrcFile.match(variableKeyRegExp) !== null;
+}
 //# sourceMappingURL=npmrcUtilities.js.map

 /***/ }),
@ -253,7 +290,8 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var path__WEBPACK_IMPORTED_MODULE_3___default = /*#__PURE__*/__webpack_require__.n(path__WEBPACK_IMPORTED_MODULE_3__);
 /* harmony import */ var _utilities_npmrcUtilities__WEBPACK_IMPORTED_MODULE_4__ = __webpack_require__(/*! ../utilities/npmrcUtilities */ 679877);
 // Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
-// See the @microsoft/rush package's LICENSE file for license information.
+// See LICENSE in the project root for license information.
+/* eslint-disable no-console */



@ -359,6 +397,23 @@ function _getRushTempFolder(rushCommonFolder) {
        return _ensureAndJoinPath(rushCommonFolder, 'temp');
    }
 }
+/**
+ * Compare version strings according to semantic versioning.
+ * Returns a positive integer if "a" is a later version than "b",
+ * a negative integer if "b" is later than "a",
+ * and 0 otherwise.
+ */
+function _compareVersionStrings(a, b) {
+    const aParts = a.split(/[.-]/);
+    const bParts = b.split(/[.-]/);
+    const numberOfParts = Math.max(aParts.length, bParts.length);
+    for (let i = 0; i < numberOfParts; i++) {
+        if (aParts[i] !== bParts[i]) {
+            return (Number(aParts[i]) || 0) - (Number(bParts[i]) || 0);
+        }
+    }
+    return 0;
+}
 /**
 * Resolve a package specifier to a static version
 */
@ -379,12 +434,23 @@ function _resolvePackageVersion(logger, rushCommonFolder, { name, version }) {
            (0,_utilities_npmrcUtilities__WEBPACK_IMPORTED_MODULE_4__.syncNpmrc)(sourceNpmrcFolder, rushTempFolder, undefined, logger);
            const npmPath = getNpmPath();
            // This returns something that looks like:
-            //  @microsoft/rush@3.0.0 '3.0.0'
-            //  @microsoft/rush@3.0.1 '3.0.1'
-            //  ...
-            //  @microsoft/rush@3.0.20 '3.0.20'
-            //  <blank line>
-            const npmVersionSpawnResult = child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync(npmPath, ['view', `${name}@${version}`, 'version', '--no-update-notifier'], {
+            // ```
+            // [
+            //   "3.0.0",
+            //   "3.0.1",
+            //   ...
+            //   "3.0.20"
+            // ]
+            // ```
+            //
+            // if multiple versions match the selector, or
+            //
+            // ```
+            // "3.0.0"
+            // ```
+            //
+            // if only a single version matches.
+            const npmVersionSpawnResult = child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync(npmPath, ['view', `${name}@${version}`, 'version', '--no-update-notifier', '--json'], {
                cwd: rushTempFolder,
                stdio: []
            });
@ -392,16 +458,21 @@ function _resolvePackageVersion(logger, rushCommonFolder, { name, version }) {
                throw new Error(`"npm view" returned error code ${npmVersionSpawnResult.status}`);
            }
            const npmViewVersionOutput = npmVersionSpawnResult.stdout.toString();
-            const versionLines = npmViewVersionOutput.split('\n').filter((line) => !!line);
-            const latestVersion = versionLines[versionLines.length - 1];
+            const parsedVersionOutput = JSON.parse(npmViewVersionOutput);
+            const versions = Array.isArray(parsedVersionOutput)
+                ? parsedVersionOutput
+                : [parsedVersionOutput];
+            let latestVersion = versions[0];
+            for (let i = 1; i < versions.length; i++) {
+                const latestVersionCandidate = versions[i];
+                if (_compareVersionStrings(latestVersionCandidate, latestVersion) > 0) {
+                    latestVersion = latestVersionCandidate;
+                }
+            }
            if (!latestVersion) {
                throw new Error('No versions found for the specified version range.');
            }
-            const versionMatches = latestVersion.match(/^.+\s\'(.+)\'$/);
-            if (!versionMatches) {
-                throw new Error(`Invalid npm output ${latestVersion}`);
-            }
-            return versionMatches[1];
+            return latestVersion;
        }
        catch (e) {
            throw new Error(`Unable to resolve version ${version} of package ${name}: ${e}`);
--- a/rush.json
+++ b/rush.json
@ -15,7 +15,7 @@
   * path segment in the "$schema" field for all your Rush config files.  This will ensure
   * correct error-underlining and tab-completion for editors such as VS Code.
   */
-  "rushVersion": "5.99.0",
+  "rushVersion": "5.112.2",
  /**
   * The next field selects which package manager should be installed and determines its version.
   * Rush installs its own local copy of the package manager to ensure that your build process
@ -24,7 +24,7 @@
   * Specify one of: "pnpmVersion", "npmVersion", or "yarnVersion".  See the Rush documentation
   * for details about these alternatives.
   */
-  "pnpmVersion": "7.33.0",
+  "pnpmVersion": "8.14.1",
  /**
   * Options that are only used when the PNPM package manager is selected
   */